Re: Wireshark dissections of proposed UDP payloads

[David Fifield <david () bamsoftware com>]

On Mon, Aug 10, 2009 at 02:53:40PM -0600, David Fifield wrote:
> On Wed, Jul 22, 2009 at 11:55:42AM -0600, David Fifield wrote:
> > On Sat, Jul 04, 2009 at 11:59:23AM +0200, kx wrote:
> > > This sounds like a really good idea! Out of curiosity, have you
> > > played with any of Unicornscan's UDP payloads?
> > >
> > > http://osace.svn.sourceforge.net/viewvc/osace/trunk/etc/payloads.conf?view=markup
> > >
> > > This is one of the reasons Unicornscan started as udpscan in 2004.
> > >
> > > In their faq they recognize another udp scanner:
> > > http://www.geocities.com/fryxar/scanudp.c
> > >
> > > This perl script also has a lot of nice UDP payloads, including some from nmap:
> > >
> > > https://labs.portcullis.co.uk/application/udp-proto-scanner/
> > > Inside the tgz: udp-proto-scanner.conf
> >
> > Here's a summary of payloads we might want to incorporate. Of this list,
> > I think the most likely candidates are 111/rpcbind, 177/xdmcp,
> > 500/isakmp, 520/route, 1645/radius, 1812/radius, 2049/nfs,
> > 5353/zeroconf, 5632/pcanywherestat. Those are the ones in the top 100
> > UDP ports, anyway. I would appreciate if some experts could examine
> > those payloads and comment on their safety.

I have added payloads for all of these protocols, except pcanywherestat,
after researching them for safety. They were all taken from either
nmap-service-probes or from one of the scanners kx listed, though in
some cases I modified the payloads to make them shorter or less
arbitrary. For example, the RADIUS probe in scanudp.c arbitrarily used a
username and password of "a"; our probe contains no authentication at
all and is used only to get back an error response. In addition to the
probes above, I added one for amanda/10080, adapted from Unicornscan.

Of the potential payloads I listed in
http://seclists.org/nmap-dev/2009/q3/0290.html, there are two more that
are in the top 1,000 UDP ports: 5555/rplay and 5632/pcanywherestat.

rplay is a sound protocol. Here is Unicornscan's payload:

        /* rplay ping, needs work */
        udp 5555 -1 1 {
                "\x1e\x11\x00\x00"
        };

The two Unicornscan payloads for pcanywherestat are

        udp 5632 -1 1 {
                "NQ"
        };
        udp 5632 -1 1 {
                "ST"
        };

I'm not averse to adding these, but I don't know what they do and I
don't have a way of testing them. If someone can find out what they do,
let me know.

UDP payloads are cool; they turn this output

All 1000 scanned ports are open|filtered because of 1000 no-responses

into this:

Not shown: 998 open|filtered ports
Reason: 998 no-responses
PORT     STATE SERVICE  REASON
123/udp  open  ntp      udp-response
5353/udp open  zeroconf udp-response

If you have a new payload to offer, please send it in, preferably along
with documentation on what it does, what kind of response is expected,
and the command that generated it.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org